Windows Analysis Report
Windows Defender.exe

Overview

General Information

Sample name:	Windows Defender.exe
Analysis ID:	1478314
MD5:	f6d9f758f360decaf8e73f885be02571
SHA1:	ffc684a4500ade8e4e10e341880480db574a8642
SHA256:	03072c4acdc40c9aa06aab693d7a200934d5025d4c3ce46409ac6b435f2973bc
Tags:	64exeformbookxworm
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Windows Defender.exe

Avira: detected

Antivirus detection for URL or domain

Source: rest-root.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows defender.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: Windows Defender.exe

Malware Configuration Extractor: Xworm {"C2 url": ["rest-root.gl.at.ply.gg"], "Port": "22746", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows defender.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: Windows Defender.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows defender.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Windows Defender.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: Windows Defender.exe	String decryptor: rest-root.gl.at.ply.gg
Source: Windows Defender.exe	String decryptor: 22746
Source: Windows Defender.exe	String decryptor: <123456789>
Source: Windows Defender.exe	String decryptor: <Xwormmm>
Source: Windows Defender.exe	String decryptor: Windows Defender
Source: Windows Defender.exe	String decryptor: USB.exe
Source: Windows Defender.exe	String decryptor: %AppData%
Source: Windows Defender.exe	String decryptor: Windows defender.exe

Uses 32bit PE files

Source: Windows Defender.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Windows Defender.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\AppxSip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\OpcServices.DLL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\wshext.dll

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49737 -> 147.185.221.20:22746

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: rest-root.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: Windows Defender.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 147.185.221.20:22746

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 147.185.221.20 147.185.221.20

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: rest-root.gl.at.ply.gg

Source: powershell.exe, 00000001.00000002.1777599701.00000183768D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000001.00000002.1776503483.0000018376630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000004.00000002.1872277415.00000166D3E9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: Windows Defender.exe, Windows defender.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2221696230.000001732C5A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Windows Defender.exe, 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000007.00000002.2013027015.000002C4FB0FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2218935309.000001732C280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.?
Source: powershell.exe, 0000000B.00000002.2221696230.000001732C5F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Windows Defender.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Windows Defender.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B5F5E	0_2_00007FFD9B8B5F5E
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B1719	0_2_00007FFD9B8B1719
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B21B1	0_2_00007FFD9B8B21B1
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B6D0E	0_2_00007FFD9B8B6D0E
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B108D	0_2_00007FFD9B8B108D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B9730E9	1_2_00007FFD9B9730E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8B947D	7_2_00007FFD9B8B947D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B9630E9	11_2_00007FFD9B9630E9
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 13_2_00007FFD9B871719	13_2_00007FFD9B871719
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 13_2_00007FFD9B871038	13_2_00007FFD9B871038
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 14_2_00007FFD9B8A1719	14_2_00007FFD9B8A1719
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 14_2_00007FFD9B8A1038	14_2_00007FFD9B8A1038

Uses 32bit PE files

Source: Windows Defender.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Windows Defender.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Windows Defender.exe, DNAvWoxlxYdwRmJ.cs	Base64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.cs	Base64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
Source: Windows Defender.exe, I3Th8Mh3i2t6BO8.cs	Base64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	Base64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	Base64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
Source: Windows Defender.exe, cwqxDxQiWlgCHGb.cs	Base64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
Source: Windows defender.exe.0.dr, DNAvWoxlxYdwRmJ.cs	Base64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.cs	Base64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
Source: Windows defender.exe.0.dr, I3Th8Mh3i2t6BO8.cs	Base64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	Base64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	Base64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
Source: Windows defender.exe.0.dr, cwqxDxQiWlgCHGb.cs	Base64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, DNAvWoxlxYdwRmJ.cs	Base64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.cs	Base64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, I3Th8Mh3i2t6BO8.cs	Base64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	Base64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	Base64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, cwqxDxQiWlgCHGb.cs	Base64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'

Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Windows Defender.exe, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender.exe, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@2/2

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Windows defender.exe

Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe	Mutant created: \Sessions\1\BaseNamedObjects\Vi0dGCBzRjwIFWiY
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: Windows Defender.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Windows Defender.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Windows Defender.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Windows Defender.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\Windows Defender.exe

File read: C:\Users\user\Desktop\Windows Defender.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Windows Defender.exe "C:\Users\user\Desktop\Windows Defender.exe"
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows defender.exe "C:\Users\user\AppData\Roaming\Windows defender.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows defender.exe "C:\Users\user\AppData\Roaming\Windows defender.exe"
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Windows Defender.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Windows defender.lnk.0.dr

LNK file: ..\..\..\..\..\Windows defender.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Windows Defender.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Windows Defender.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B78D2A5 pushad ; iretd	1_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8A0972 push E95A82D0h; ret	1_2_00007FFD9B8A09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8A1074 push E85B8B0Dh; ret	1_2_00007FFD9B8A10F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B972316 push 8B485F92h; iretd	1_2_00007FFD9B97231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B78D2A5 pushad ; iretd	4_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B972316 push 8B485F92h; iretd	4_2_00007FFD9B97231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B79D2A5 pushad ; iretd	7_2_00007FFD9B79D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B982316 push 8B485F91h; iretd	7_2_00007FFD9B98231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B77D2A5 pushad ; iretd	11_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B962316 push 8B485F93h; iretd	11_2_00007FFD9B96231B

Source: Windows Defender.exe, 4HsJjuIP2UkRI9R.cs	High entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
Source: Windows Defender.exe, IiG77VCIYIyAinp.cs	High entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
Source: Windows Defender.exe, GzYlpNyzaslb0P5ovfphEnusQWYGKo.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
Source: Windows Defender.exe, yfcXnm8Ph88Q7SS.cs	High entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
Source: Windows Defender.exe, DNAvWoxlxYdwRmJ.cs	High entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
Source: Windows Defender.exe, 85IhxSGtOfNN64Z.cs	High entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.cs	High entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
Source: Windows Defender.exe, I3Th8Mh3i2t6BO8.cs	High entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	High entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	High entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
Source: Windows Defender.exe, cwqxDxQiWlgCHGb.cs	High entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
Source: Windows defender.exe.0.dr, 4HsJjuIP2UkRI9R.cs	High entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
Source: Windows defender.exe.0.dr, IiG77VCIYIyAinp.cs	High entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
Source: Windows defender.exe.0.dr, GzYlpNyzaslb0P5ovfphEnusQWYGKo.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
Source: Windows defender.exe.0.dr, yfcXnm8Ph88Q7SS.cs	High entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
Source: Windows defender.exe.0.dr, DNAvWoxlxYdwRmJ.cs	High entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.cs	High entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.cs	High entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
Source: Windows defender.exe.0.dr, I3Th8Mh3i2t6BO8.cs	High entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	High entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	High entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
Source: Windows defender.exe.0.dr, cwqxDxQiWlgCHGb.cs	High entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 4HsJjuIP2UkRI9R.cs	High entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, IiG77VCIYIyAinp.cs	High entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, GzYlpNyzaslb0P5ovfphEnusQWYGKo.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, yfcXnm8Ph88Q7SS.cs	High entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, DNAvWoxlxYdwRmJ.cs	High entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.cs	High entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.cs	High entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, I3Th8Mh3i2t6BO8.cs	High entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	High entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	High entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, cwqxDxQiWlgCHGb.cs	High entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'

Drops PE files

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Windows defender.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows defender			Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows defender			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Windows Defender.exe, 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Windows Defender.exe, Windows defender.exe.0.dr	Binary or memory string: SBIEDLL.DLLASSBC68E0MEKPEVR4DCWZ2QYFOLPF9HXYGFFRWC6JFPPHY7QHASTUWIU0M2HUWJOFFN62RZJLF4OPSJSN2JVIV7DCXK1HHOUAWAPLZC2HUHO9OUDJYBBIID5WMYEQSOIT5FGZODAHXWX7TS22XFA6F7CQMYRVHDGON7XHUXBTVMB5OQ8SEHPYA5F1L9R1KDGX1H3APQOKXHEQUB2UQJBOWDNEM3V1ZCG0HYZWOUOUGQ4OSRNRY4T5ANUNOTOHVIMVRKLU4B14PUDOWL6SXKUVEOI33A1EHABCQQZCRA8PQMNCOEW7QMMT9OGFVWICUY9U5MKOQDNF4F0WI3R1WUHIWOAX3AGLL9SIWGVQQZSTYNDJBKFAQGCEPOUNPCAQIRZHUNRPUIKAFIBJPFZSMINKFA9FNC0W9L0CIPAIZR4UDR3PY7U2OYKFANVKA4AI25VQYVC9LTPWNJHKLUCICHGEDANAVMOBF1IPNSKPUB86GARB59HI5VVHTTQVYDRDW1JZOWNBZIB8JCDPHZSUBZHAVTORVDAC7POF10AKNEWW7FKGKHXWNZZAGHJIF00NPSI9KYKOTYSZOORAPLXSKRC9HKZJSZODJMOY6TYQ6ODNJVASSCQIU7IZOZF0R0XAAO7YBTDMT4Z0YDGF9LM2MYLTTFX7XC5MCCURYT1OVSXMGZ2P8INFO

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Windows Defender.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Memory allocated: 1A980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 8E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 1A300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 1390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 1B070000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Windows Defender.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Windows Defender.exe	Window / User API: threadDelayed 3856	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Window / User API: threadDelayed 5982	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4225	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6974	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2817	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7393	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2162	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2061

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Windows Defender.exe TID: 1244	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2124	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2188	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep count: 7393 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3260	Thread sleep count: 2162 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5440	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep count: 7563 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep count: 2061 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows defender.exe TID: 2008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows defender.exe TID: 1848	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows Defender.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Windows Defender.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\AppxSip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\OpcServices.DLL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\wshext.dll

Source: Windows defender.exe.0.dr	Binary or memory string: vmware
Source: Windows Defender.exe, 00000000.00000002.2971854237.000000001B795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Windows Defender.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Windows Defender.exe

Code function: 0_2_00007FFD9B8B73F0 CheckRemoteDebuggerPresent,

0_2_00007FFD9B8B73F0

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Windows Defender.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Windows Defender.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Windows Defender.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\Windows Defender.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Windows Defender.exe	Queries volume information: C:\Users\user\Desktop\Windows Defender.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows defender.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows defender.exe VolumeInformation

Source: C:\Users\user\Desktop\Windows Defender.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Windows Defender.exe, 00000000.00000002.2932483269.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2971854237.000000001B865000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2971854237.000000001B795000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2971854237.000000001B7E1000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2932483269.0000000000BFC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: Windows Defender.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Windows Defender.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: Windows Defender.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Windows Defender.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true
147.185.221.20	rest-root.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

Contacted Domains

Name	IP	Active
ip-api.com	208.95.112.1	true
rest-root.gl.at.ply.gg	147.185.221.20	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rest-root.gl.at.ply.gg	true	Avira URL Cloud: malware	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Windows Defender.exe

Avira: detected

Antivirus detection for URL or domain

Source: rest-root.gl.at.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows defender.exe

Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: Windows Defender.exe

Malware Configuration Extractor: Xworm {"C2 url": ["rest-root.gl.at.ply.gg"], "Port": "22746", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows defender.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: Windows Defender.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows defender.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Windows Defender.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: Windows Defender.exe	String decryptor: rest-root.gl.at.ply.gg
Source: Windows Defender.exe	String decryptor: 22746
Source: Windows Defender.exe	String decryptor: <123456789>
Source: Windows Defender.exe	String decryptor: <Xwormmm>
Source: Windows Defender.exe	String decryptor: Windows Defender
Source: Windows Defender.exe	String decryptor: USB.exe
Source: Windows Defender.exe	String decryptor: %AppData%
Source: Windows Defender.exe	String decryptor: Windows defender.exe

Uses 32bit PE files

Source: Windows Defender.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Windows Defender.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\AppxSip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\OpcServices.DLL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\wshext.dll

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49737 -> 147.185.221.20:22746

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: rest-root.gl.at.ply.gg

Yara detected Generic Downloader

Source: Yara match	File source: Windows Defender.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 147.185.221.20:22746

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 147.185.221.20 147.185.221.20

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: SALSGIVERUS SALSGIVERUS

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: rest-root.gl.at.ply.gg

Source: powershell.exe, 00000001.00000002.1777599701.00000183768D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000001.00000002.1776503483.0000018376630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000004.00000002.1872277415.00000166D3E9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: Windows Defender.exe, Windows defender.exe.0.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.2221696230.000001732C5A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Windows Defender.exe, 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000007.00000002.2013027015.000002C4FB0FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000B.00000002.2218935309.000001732C280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.?
Source: powershell.exe, 0000000B.00000002.2221696230.000001732C5F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Windows Defender.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Windows Defender.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B5F5E	0_2_00007FFD9B8B5F5E
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B1719	0_2_00007FFD9B8B1719
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B21B1	0_2_00007FFD9B8B21B1
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B6D0E	0_2_00007FFD9B8B6D0E
Source: C:\Users\user\Desktop\Windows Defender.exe	Code function: 0_2_00007FFD9B8B108D	0_2_00007FFD9B8B108D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B9730E9	1_2_00007FFD9B9730E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8B947D	7_2_00007FFD9B8B947D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B9630E9	11_2_00007FFD9B9630E9
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 13_2_00007FFD9B871719	13_2_00007FFD9B871719
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 13_2_00007FFD9B871038	13_2_00007FFD9B871038
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 14_2_00007FFD9B8A1719	14_2_00007FFD9B8A1719
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Code function: 14_2_00007FFD9B8A1038	14_2_00007FFD9B8A1038

Uses 32bit PE files

Source: Windows Defender.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: Windows Defender.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Windows Defender.exe, DNAvWoxlxYdwRmJ.cs	Base64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.cs	Base64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
Source: Windows Defender.exe, I3Th8Mh3i2t6BO8.cs	Base64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	Base64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	Base64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
Source: Windows Defender.exe, cwqxDxQiWlgCHGb.cs	Base64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
Source: Windows defender.exe.0.dr, DNAvWoxlxYdwRmJ.cs	Base64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.cs	Base64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
Source: Windows defender.exe.0.dr, I3Th8Mh3i2t6BO8.cs	Base64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	Base64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	Base64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
Source: Windows defender.exe.0.dr, cwqxDxQiWlgCHGb.cs	Base64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, DNAvWoxlxYdwRmJ.cs	Base64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.cs	Base64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, I3Th8Mh3i2t6BO8.cs	Base64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	Base64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	Base64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, cwqxDxQiWlgCHGb.cs	Base64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'

Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Windows Defender.exe, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows Defender.exe, 85IhxSGtOfNN64Z.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/21@2/2

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Windows defender.exe

Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe	Mutant created: \Sessions\1\BaseNamedObjects\Vi0dGCBzRjwIFWiY
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: Windows Defender.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Windows Defender.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Windows Defender.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Windows Defender.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\Windows Defender.exe

File read: C:\Users\user\Desktop\Windows Defender.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Windows Defender.exe "C:\Users\user\Desktop\Windows Defender.exe"
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows defender.exe "C:\Users\user\AppData\Roaming\Windows defender.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows defender.exe "C:\Users\user\AppData\Roaming\Windows defender.exe"
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\Windows Defender.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Windows defender.lnk.0.dr

LNK file: ..\..\..\..\..\Windows defender.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Windows Defender.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Windows Defender.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	.Net Code: _2yleSFZfrEaaNXy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B78D2A5 pushad ; iretd	1_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8A0972 push E95A82D0h; ret	1_2_00007FFD9B8A09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8A1074 push E85B8B0Dh; ret	1_2_00007FFD9B8A10F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B972316 push 8B485F92h; iretd	1_2_00007FFD9B97231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B78D2A5 pushad ; iretd	4_2_00007FFD9B78D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B972316 push 8B485F92h; iretd	4_2_00007FFD9B97231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B79D2A5 pushad ; iretd	7_2_00007FFD9B79D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B982316 push 8B485F91h; iretd	7_2_00007FFD9B98231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B77D2A5 pushad ; iretd	11_2_00007FFD9B77D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_00007FFD9B962316 push 8B485F93h; iretd	11_2_00007FFD9B96231B

Source: Windows Defender.exe, 4HsJjuIP2UkRI9R.cs	High entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
Source: Windows Defender.exe, IiG77VCIYIyAinp.cs	High entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
Source: Windows Defender.exe, GzYlpNyzaslb0P5ovfphEnusQWYGKo.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
Source: Windows Defender.exe, yfcXnm8Ph88Q7SS.cs	High entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
Source: Windows Defender.exe, DNAvWoxlxYdwRmJ.cs	High entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
Source: Windows Defender.exe, 85IhxSGtOfNN64Z.cs	High entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.cs	High entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
Source: Windows Defender.exe, I3Th8Mh3i2t6BO8.cs	High entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
Source: Windows Defender.exe, sjmftLizVeKZw8R.cs	High entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs	High entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
Source: Windows Defender.exe, cwqxDxQiWlgCHGb.cs	High entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
Source: Windows defender.exe.0.dr, 4HsJjuIP2UkRI9R.cs	High entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
Source: Windows defender.exe.0.dr, IiG77VCIYIyAinp.cs	High entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
Source: Windows defender.exe.0.dr, GzYlpNyzaslb0P5ovfphEnusQWYGKo.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
Source: Windows defender.exe.0.dr, yfcXnm8Ph88Q7SS.cs	High entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
Source: Windows defender.exe.0.dr, DNAvWoxlxYdwRmJ.cs	High entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.cs	High entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.cs	High entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
Source: Windows defender.exe.0.dr, I3Th8Mh3i2t6BO8.cs	High entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.cs	High entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs	High entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
Source: Windows defender.exe.0.dr, cwqxDxQiWlgCHGb.cs	High entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 4HsJjuIP2UkRI9R.cs	High entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, IiG77VCIYIyAinp.cs	High entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, GzYlpNyzaslb0P5ovfphEnusQWYGKo.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, yfcXnm8Ph88Q7SS.cs	High entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, DNAvWoxlxYdwRmJ.cs	High entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.cs	High entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.cs	High entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, I3Th8Mh3i2t6BO8.cs	High entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.cs	High entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs	High entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, cwqxDxQiWlgCHGb.cs	High entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'

Drops PE files

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Windows defender.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Windows Defender.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk

Jump to behavior

Source: C:\Users\user\Desktop\Windows Defender.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows defender			Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows defender			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Windows Defender.exe, 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Windows Defender.exe, Windows defender.exe.0.dr	Binary or memory string: SBIEDLL.DLLASSBC68E0MEKPEVR4DCWZ2QYFOLPF9HXYGFFRWC6JFPPHY7QHASTUWIU0M2HUWJOFFN62RZJLF4OPSJSN2JVIV7DCXK1HHOUAWAPLZC2HUHO9OUDJYBBIID5WMYEQSOIT5FGZODAHXWX7TS22XFA6F7CQMYRVHDGON7XHUXBTVMB5OQ8SEHPYA5F1L9R1KDGX1H3APQOKXHEQUB2UQJBOWDNEM3V1ZCG0HYZWOUOUGQ4OSRNRY4T5ANUNOTOHVIMVRKLU4B14PUDOWL6SXKUVEOI33A1EHABCQQZCRA8PQMNCOEW7QMMT9OGFVWICUY9U5MKOQDNF4F0WI3R1WUHIWOAX3AGLL9SIWGVQQZSTYNDJBKFAQGCEPOUNPCAQIRZHUNRPUIKAFIBJPFZSMINKFA9FNC0W9L0CIPAIZR4UDR3PY7U2OYKFANVKA4AI25VQYVC9LTPWNJHKLUCICHGEDANAVMOBF1IPNSKPUB86GARB59HI5VVHTTQVYDRDW1JZOWNBZIB8JCDPHZSUBZHAVTORVDAC7POF10AKNEWW7FKGKHXWNZZAGHJIF00NPSI9KYKOTYSZOORAPLXSKRC9HKZJSZODJMOY6TYQ6ODNJVASSCQIU7IZOZF0R0XAAO7YBTDMT4Z0YDGF9LM2MYLTTFX7XC5MCCURYT1OVSXMGZ2P8INFO

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Windows Defender.exe	Memory allocated: BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Memory allocated: 1A980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 8E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 1A300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 1390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Memory allocated: 1B070000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Windows Defender.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Windows Defender.exe	Window / User API: threadDelayed 3856	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Window / User API: threadDelayed 5982	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4225	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6974	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2817	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7393	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2162	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2061

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Windows Defender.exe TID: 1244	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2124	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2188	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep count: 7393 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3260	Thread sleep count: 2162 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5440	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684	Thread sleep count: 7563 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908	Thread sleep count: 2061 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows defender.exe TID: 2008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows defender.exe TID: 1848	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows Defender.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Windows Defender.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\catroot2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\AppxSip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SYSTEM32\OpcServices.DLL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\wshext.dll

Source: Windows defender.exe.0.dr	Binary or memory string: vmware
Source: Windows Defender.exe, 00000000.00000002.2971854237.000000001B795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Windows Defender.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Windows Defender.exe

Code function: 0_2_00007FFD9B8B73F0 CheckRemoteDebuggerPresent,

0_2_00007FFD9B8B73F0

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Windows Defender.exe

Process queried: DebugPort

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Windows Defender.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Windows Defender.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\Windows Defender.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Windows Defender.exe	Queries volume information: C:\Users\user\Desktop\Windows Defender.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows Defender.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows defender.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows defender.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows defender.exe VolumeInformation

Source: C:\Users\user\Desktop\Windows Defender.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\Windows Defender.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: Windows Defender.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Windows Defender.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: Windows Defender.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Windows Defender.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

ID:	1478314
Product:	CloudBasic
Start time:	14:02:08
Start date:	22.07.2024
Sample:	Windows Defender.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f6d9f758f360decaf8e73f885be02571
SHA1:	ffc684a4500ade8e4e10e341880480db574a8642
SHA256:	03072c4acdc40c9aa06aab693d7a200934d5025d4c3ce46409ac6b435f2973bc
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows defender.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\Log.tmp	ASCII text, with CRLF line terminators	BFABEC865892A34F532FABF984F7E156	3C8292E49FEFD3DA96DBC289B36C4C710B0127E3	8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d0gffu1.kdi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5doctpg0.jh5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1yx1xhi.w2p.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5afjpcb.rjj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_an02oaqi.eh5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bc0wv5r4.0qa.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2myxf2u.u24.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfzetyab.ch1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irw4ztao.tgd.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1rp0ddx.gcr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksw5znke.o21.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mm2i0ohh.a1d.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqhw0umi.k2z.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szj344xv.hhd.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4fvm4dp.z2f.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwr51r4w.hm5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 22 11:03:56 2024, mtime=Mon Jul 22 11:03:56 2024, atime=Mon Jul 22 11:03:56 2024, length=88704, window=hide	60BDB184ADAC1F9E0F66E722DD22FBEE	2BC5CEDD1F34CF00CAC8F7E666FDEE5C9FA560FE	2744F9024E774F9AEE91FFDAB6680D800C0739E904688FF5EC866E4A0C0F32C6
C:\Users\user\AppData\Roaming\Windows defender.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F6D9F758F360DECAF8E73F885BE02571	FFC684A4500ADE8E4E10E341880480DB574A8642	03072C4ACDC40C9AA06AAB693D7A200934D5025D4C3CE46409AC6B435F2973BC

Windows Analysis Report
Windows Defender.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Windows Defender.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Windows Defender.exe

Malware Threat Intel
Provided by